querysub 0.436.0 → 0.438.0

package/src/-c-identity/IdentityController.ts

@@ -1,259 +1,259 @@
-/**
- *      Allows clients to set their certificate, as long as it meets our strict schema requirements.
- *      - Our requirements ensure that even though the certificates are self signed, they can't
- *          be impersonated by other users (because their common name contains their public key).
- */
-
-import debugbreak from "debugbreak";
-import { SocketFunction } from "socket-function/SocketFunction";
-import { CallerContext } from "socket-function/SocketFunctionTypes";
-import { cache, cacheWeak, lazy } from "socket-function/src/caching";
-import { getClientNodeId, getNodeId, getNodeIdDomain, getNodeIdIP, getNodeIdLocation, isClientNodeId } from "socket-function/src/nodeCache";
-import { decodeNodeId, getCommonName, getIdentityCA, getMachineId, getOwnMachineId, getPublicIdentifier, getThreadKeyCert, parseCert, sign, validateCertificate, verify } from "../-a-auth/certs";
-import { getShortNumber } from "../bits";
-import { measureBlock, measureFnc, measureWrap } from "socket-function/src/profiling/measure";
-import { timeoutToError } from "../errors";
-import { delay } from "socket-function/src/batching";
-import { formatTime } from "socket-function/src/formatting/format";
-import { waitForFirstTimeSync } from "socket-function/time/trueTimeShim";
-import { red } from "socket-function/src/formatting/logColors";
-import { isNode } from "typesafecss";
-import { areNodeIdsEqual, getOwnNodeId, getOwnThreadId } from "../-f-node-discovery/NodeDiscovery";
-import { timeInMinute } from "socket-function/src/misc";
-
-// NOTE: This used to be small, but we cache this, so it would mean a node on startup would time out, and then we would refuse to talk to it ever again. So... this can't be small
-const MAX_CHANGE_IDENTITY_TIMEOUT = timeInMinute * 5;
-
-let callerInfo = new Map<CallerContext, {
-    reconnectNodeId: string | undefined;
-    machineId: string;
-    cert: CertInfo;
-    pubKey: Buffer;
-    pubKeyShort: number;
-}>();
-const callerInfoErrorString = `Internal error, caller did not updated their identity. Is this an HTTPS call (instead of a websocket call)? The caller should import the server controller, which imports this function, which will add a client hook to always update the identity`;
-
-/** Gets the nodeId of the caller suitable for reconnecting (to the same process).
- *  - Also useful for logs, to identify a node on the network.
- *  - Is global, so can be passed between nodes (although, the chance of the other process
- *      staying alive for a long period of time is low).
-*/
-export function IdentityController_getReconnectNodeId(callerContext: CallerContext, allowUndefined?: "allowUndefined"): string | undefined {
-    if (!isClientNodeId(callerContext.nodeId)) {
-        return callerContext.nodeId;
-    }
-    let info = callerInfo.get(callerContext);
-    if (!info) {
-        if (allowUndefined) return undefined;
-        throw new Error(callerInfoErrorString);
-    }
-    return info.reconnectNodeId;
-}
-export function IdentityController_getReconnectNodeIdAssert(callerContext: CallerContext): string {
-    if (!isClientNodeId(callerContext.nodeId)) {
-        return callerContext.nodeId;
-    }
-    let reconnectId = IdentityController_getReconnectNodeId(callerContext);
-    if (!reconnectId) throw new Error(`Caller did not mount before connecting. This call requires the caller to be listening.`);
-    return reconnectId;
-}
-export function IdentityController_getSecureIP(callerContext: CallerContext): string {
-    return getNodeIdIP(callerContext.nodeId);
-}
-export function IdentityController_getCurrentReconnectNodeIdAssert(): string {
-    return IdentityController_getReconnectNodeIdAssert(SocketFunction.getCaller());
-}
-export function IdentityController_getCurrentReconnectNodeId(): string | undefined {
-    return IdentityController_getReconnectNodeId(SocketFunction.getCaller());
-}
-
-export function debugNodeId(nodeId: string) {
-    let info = Array.from(callerInfo.entries()).find(x => x[0].nodeId === nodeId);
-    return info?.[1].reconnectNodeId || nodeId;
-};
-(globalThis as any).debugNodeId = debugNodeId;
-
-export function debugNodeThread(nodeId: string) {
-    nodeId = debugNodeId(nodeId);
-    return decodeNodeId(nodeId)?.threadId || nodeId;
-}
-
-/** Gets the nodeId of the machine, which should be consistent. When deciding to trust a node
- *      this should be used instead of the reconnectId (otherwise you will have to trust
- *      every single process individually, which will take forever!)
- */
-export function IdentityController_getMachineId(callerContext: CallerContext, allowEmpty?: "allowEmpty"): string {
-    let location = getNodeIdLocation(callerContext.nodeId);
-    if (location) {
-        return getMachineId(location.address);
-    }
-    let info = callerInfo.get(callerContext);
-    if (!info) {
-        if (allowEmpty) return "";
-        throw new Error(callerInfoErrorString);
-    }
-    return info.machineId;
-}
-
-export type CertInfo = { certPEM: Buffer | string; issuerPEM: Buffer | string; };
-export function IdentityController_getCertInfo(callerContext: CallerContext): CertInfo {
-    let info = callerInfo.get(callerContext);
-    if (!info) throw new Error(callerInfoErrorString);
-    return info.cert;
-}
-
-export function IdentityController_getPubKeyShort(callerContext: CallerContext): number {
-    let info = callerInfo.get(callerContext);
-    if (!info) throw new Error(callerInfoErrorString);
-    return info.pubKeyShort;
-}
-export const IdentityController_getOwnPubKeyShort = lazy((): number => {
-    let cert = getThreadKeyCert();
-    let pubKey = getPublicIdentifier(cert.cert);
-    return getShortNumber(pubKey);
-});
-
-
-export interface ChangeIdentityPayload {
-    time: number;
-    cert: string;
-    certIssuer: string;
-    serverId: string;
-    mountedPort: number | undefined;
-    debugEntryPoint: string | undefined;
-    clientIsNode: boolean;
-}
-class IdentityControllerBase {
-    // IMPORTANT! We HAVE to call changeIdentity NOT JUST because we can't use peer certificates in the browser, BUT, also
-    //  because this removes the need to load peer certificates into the trust store. This greatly simplifies
-    //  a lot of the trust system and the trust call order, allowing us to use connections to determine
-    //  if we want to trust a node (instead of having to trust a node before it can connect to us, because
-    //  NodeJS will throw/ignore the peer cert if it isn't trusted).
-    @measureFnc
-    public async changeIdentity(signature: string, payload: ChangeIdentityPayload) {
-        let time = Date.now();
-        const caller = SocketFunction.getCaller();
-        // Verify it wasn't signed too long ago (to make signature stealing WAY more difficult).
-        const signedThreshold = Date.now() - MAX_CHANGE_IDENTITY_TIMEOUT;
-        if (payload.time < signedThreshold) {
-            throw new Error(`Signed payload too old, ${payload.time} < ${signedThreshold} from ${caller.localNodeId} (${caller.nodeId})`);
-        }
-
-        if (payload.clientIsNode && payload.serverId !== getOwnNodeId()) {
-            // This is extremely common when we reuse ports, which we do frequently for the edge nodes. 
-            throw new Error(`You tried to contact another server. We are ${getOwnNodeId()}, you tried to contact ${payload.serverId}.`);
-        }
-
-        // Verify the signature is meant for us, otherwise any other site can hijack the login!
-        //  (We don't have to worry about other servers on the same domain, as all servers
-        //      on the same domain should be the same!)
-        let localNodeId = caller.localNodeId;
-        if (!areNodeIdsEqual(payload.serverId, localNodeId)) {
-            throw new Error(`Identity is for another server! The connection is calling us ${localNodeId}, but signature is for ${payload.serverId}`);
-        }
-        // If they're calling from the browser, then they're not going to be able to use our machine ID, etc. However, they should be calling an actual https node, so it should still be secure for them. 
-        if (payload.clientIsNode) {
-            let calledMachineId = getMachineId(payload.serverId);
-            if (calledMachineId !== "127-0-0-1" && calledMachineId !== getOwnMachineId()) {
-                throw new Error(`Tried to call a different machine. We are ${getOwnMachineId()}, they called ${calledMachineId}`);
-            }
-            let calledThreadId = decodeNodeId(payload.serverId)?.threadId;
-            if (calledThreadId && calledThreadId !== "127-0-0-1" && calledThreadId !== getOwnThreadId()) {
-                throw new Error(`Tried to call a different thread. We are ${getOwnThreadId()}, they called ${calledThreadId}`);
-            }
-        }
-
-
-        // Verify the caller can sign as the cert
-        verify(payload.cert, signature, payload);
-
-        // Verify we even trust the issuer/cert pair
-        validateCertificate(payload.cert, payload.certIssuer);
-
-        let reconnectNodeId: string | undefined;
-        if (payload.mountedPort) {
-            // NOTE: We use the common name, and not getNodeIdIP... because anything connecting will need
-            //  to use HTTPS, so connecting over the IP won't work! (unless they turn off certificate validation,
-            //  which we shouldn't do...)
-            reconnectNodeId = getNodeId(getCommonName(payload.cert), payload.mountedPort);
-        }
-
-        let pubKey = getPublicIdentifier(payload.cert);
-        let machineId = getMachineId(getCommonName(payload.certIssuer));
-
-        callerInfo.set(caller, {
-            cert: { certPEM: payload.cert, issuerPEM: payload.certIssuer },
-            machineId,
-            reconnectNodeId,
-            pubKey,
-            pubKeyShort: getShortNumber(pubKey),
-        });
-
-        let duration = Date.now() - time;
-        console.log(`Authenticated identity for ${caller.nodeId} in ${formatTime(duration)}, at ${Date.now()}`, {
-            clientId: caller.nodeId,
-            reconnectNodeId,
-            duration,
-            mountedPort: payload.mountedPort,
-            debugEntryPoint: payload.debugEntryPoint,
-        });
-
-        SocketFunction.onNextDisconnect(caller.nodeId, () => {
-            // NOTE: I don't really see any purpose of deleting from caller info. I don't think we're going to run out of memory because of too many callers authenticating. 
-            // However, logging here is useful as it allows us to complete the life cycle so we know how long a client was connected for.
-            console.log(`Disconnected client`, {
-                clientId: caller.nodeId,
-            });
-        });
-    }
-}
-
-const IdentityController = SocketFunction.register(
-    "IdentityController-4a1b77d7-2825-433e-a27c-e2b8a2e74457",
-    new IdentityControllerBase(),
-    () => ({
-        changeIdentity: {
-            // If we use hooks here, it can cause an infinite loop (which SocketFunction just turns into
-            //  a deadlock). So... we just don't use any hooks for this call.
-            // Actually.. I think we were seeing a different issue. And client hooks are required,
-            //  so we can trust the remote cert correctly.
-            // noClientHooks: true,
-            // noDefaultHooks: true,
-        },
-    })
-);
-
-// IMPORTANT! We need to cache per connection, not per nodeId, so caching based on connectionId is required!
-const changeIdentityOnce = cacheWeak(async function changeIdentityOnce(connectionId: { nodeId: string }) {
-    let nodeId = connectionId.nodeId;
-    let threadKeyCert = getThreadKeyCert();
-    let issuer = getIdentityCA();
-    let payload: ChangeIdentityPayload = {
-        time: Date.now(),
-        serverId: nodeId,
-        cert: threadKeyCert.cert.toString(),
-        certIssuer: issuer.cert.toString(),
-        mountedPort: getNodeIdLocation(SocketFunction.mountedNodeId)?.port,
-        debugEntryPoint: isNode() ? process.argv[1] : "browser",
-        clientIsNode: isNode(),
-    };
-    let signature = sign(threadKeyCert, payload);
-    await timeoutToError(
-        MAX_CHANGE_IDENTITY_TIMEOUT,
-        IdentityController.nodes[nodeId].changeIdentity(signature, payload),
-        () => new Error(`Timeout calling changeIdentity for ${nodeId}`)
-    );
-});
-SocketFunction.addGlobalClientHook(async function identityHook(context) {
-    if (context.call.classGuid === IdentityController._classGuid) return;
-    // This is for US to tell them our identity. And if they established the connection the identity will come from their original connection url (that they used to connect to us), and they validated it either being a real certificate, or they added the cert from the trusted backblaze bucket. If it just from a real certificate it means we identified them, but they might not have network trust. But that's fine, as IdentityController is JUST for identification, and if it's a real certificate we know who they are! (Which doesn't mean we trust them).
-    if (isClientNodeId(context.call.nodeId)) {
-        return;
-    }
-    let time = Date.now();
-    await changeIdentityOnce(context.connectionId);
-    let duration = Date.now() - time;
-    if (duration > 200) {
-        console.log(red(`IdentityHook took ${formatTime(duration)} for ${context.connectionId.nodeId} ${context.call.classGuid}.${context.call.functionName}`));
-    }
+/**
+ *      Allows clients to set their certificate, as long as it meets our strict schema requirements.
+ *      - Our requirements ensure that even though the certificates are self signed, they can't
+ *          be impersonated by other users (because their common name contains their public key).
+ */
+
+import debugbreak from "debugbreak";
+import { SocketFunction } from "socket-function/SocketFunction";
+import { CallerContext } from "socket-function/SocketFunctionTypes";
+import { cache, cacheWeak, lazy } from "socket-function/src/caching";
+import { getClientNodeId, getNodeId, getNodeIdDomain, getNodeIdIP, getNodeIdLocation, isClientNodeId } from "socket-function/src/nodeCache";
+import { decodeNodeId, getCommonName, getIdentityCA, getMachineId, getOwnMachineId, getPublicIdentifier, getThreadKeyCert, parseCert, sign, validateCertificate, verify } from "../-a-auth/certs";
+import { getShortNumber } from "../bits";
+import { measureBlock, measureFnc, measureWrap } from "socket-function/src/profiling/measure";
+import { timeoutToError } from "../errors";
+import { delay } from "socket-function/src/batching";
+import { formatTime } from "socket-function/src/formatting/format";
+import { waitForFirstTimeSync } from "socket-function/time/trueTimeShim";
+import { red } from "socket-function/src/formatting/logColors";
+import { isNode } from "typesafecss";
+import { areNodeIdsEqual, getOwnNodeId, getOwnThreadId } from "../-f-node-discovery/NodeDiscovery";
+import { timeInMinute } from "socket-function/src/misc";
+
+// NOTE: This used to be small, but we cache this, so it would mean a node on startup would time out, and then we would refuse to talk to it ever again. So... this can't be small
+const MAX_CHANGE_IDENTITY_TIMEOUT = timeInMinute * 5;
+
+let callerInfo = new Map<CallerContext, {
+    reconnectNodeId: string | undefined;
+    machineId: string;
+    cert: CertInfo;
+    pubKey: Buffer;
+    pubKeyShort: number;
+}>();
+const callerInfoErrorString = `Internal error, caller did not updated their identity. Is this an HTTPS call (instead of a websocket call)? The caller should import the server controller, which imports this function, which will add a client hook to always update the identity`;
+
+/** Gets the nodeId of the caller suitable for reconnecting (to the same process).
+ *  - Also useful for logs, to identify a node on the network.
+ *  - Is global, so can be passed between nodes (although, the chance of the other process
+ *      staying alive for a long period of time is low).
+*/
+export function IdentityController_getReconnectNodeId(callerContext: CallerContext, allowUndefined?: "allowUndefined"): string | undefined {
+    if (!isClientNodeId(callerContext.nodeId)) {
+        return callerContext.nodeId;
+    }
+    let info = callerInfo.get(callerContext);
+    if (!info) {
+        if (allowUndefined) return undefined;
+        throw new Error(callerInfoErrorString);
+    }
+    return info.reconnectNodeId;
+}
+export function IdentityController_getReconnectNodeIdAssert(callerContext: CallerContext): string {
+    if (!isClientNodeId(callerContext.nodeId)) {
+        return callerContext.nodeId;
+    }
+    let reconnectId = IdentityController_getReconnectNodeId(callerContext);
+    if (!reconnectId) throw new Error(`Caller did not mount before connecting. This call requires the caller to be listening.`);
+    return reconnectId;
+}
+export function IdentityController_getSecureIP(callerContext: CallerContext): string {
+    return getNodeIdIP(callerContext.nodeId);
+}
+export function IdentityController_getCurrentReconnectNodeIdAssert(): string {
+    return IdentityController_getReconnectNodeIdAssert(SocketFunction.getCaller());
+}
+export function IdentityController_getCurrentReconnectNodeId(): string | undefined {
+    return IdentityController_getReconnectNodeId(SocketFunction.getCaller());
+}
+
+export function debugNodeId(nodeId: string) {
+    let info = Array.from(callerInfo.entries()).find(x => x[0].nodeId === nodeId);
+    return info?.[1].reconnectNodeId || nodeId;
+};
+(globalThis as any).debugNodeId = debugNodeId;
+
+export function debugNodeThread(nodeId: string) {
+    nodeId = debugNodeId(nodeId);
+    return decodeNodeId(nodeId)?.threadId || nodeId;
+}
+
+/** Gets the nodeId of the machine, which should be consistent. When deciding to trust a node
+ *      this should be used instead of the reconnectId (otherwise you will have to trust
+ *      every single process individually, which will take forever!)
+ */
+export function IdentityController_getMachineId(callerContext: CallerContext, allowEmpty?: "allowEmpty"): string {
+    let location = getNodeIdLocation(callerContext.nodeId);
+    if (location) {
+        return getMachineId(location.address);
+    }
+    let info = callerInfo.get(callerContext);
+    if (!info) {
+        if (allowEmpty) return "";
+        throw new Error(callerInfoErrorString);
+    }
+    return info.machineId;
+}
+
+export type CertInfo = { certPEM: Buffer | string; issuerPEM: Buffer | string; };
+export function IdentityController_getCertInfo(callerContext: CallerContext): CertInfo {
+    let info = callerInfo.get(callerContext);
+    if (!info) throw new Error(callerInfoErrorString);
+    return info.cert;
+}
+
+export function IdentityController_getPubKeyShort(callerContext: CallerContext): number {
+    let info = callerInfo.get(callerContext);
+    if (!info) throw new Error(callerInfoErrorString);
+    return info.pubKeyShort;
+}
+export const IdentityController_getOwnPubKeyShort = lazy((): number => {
+    let cert = getThreadKeyCert();
+    let pubKey = getPublicIdentifier(cert.cert);
+    return getShortNumber(pubKey);
+});
+
+
+export interface ChangeIdentityPayload {
+    time: number;
+    cert: string;
+    certIssuer: string;
+    serverId: string;
+    mountedPort: number | undefined;
+    debugEntryPoint: string | undefined;
+    clientIsNode: boolean;
+}
+class IdentityControllerBase {
+    // IMPORTANT! We HAVE to call changeIdentity NOT JUST because we can't use peer certificates in the browser, BUT, also
+    //  because this removes the need to load peer certificates into the trust store. This greatly simplifies
+    //  a lot of the trust system and the trust call order, allowing us to use connections to determine
+    //  if we want to trust a node (instead of having to trust a node before it can connect to us, because
+    //  NodeJS will throw/ignore the peer cert if it isn't trusted).
+    @measureFnc
+    public async changeIdentity(signature: string, payload: ChangeIdentityPayload) {
+        let time = Date.now();
+        const caller = SocketFunction.getCaller();
+        // Verify it wasn't signed too long ago (to make signature stealing WAY more difficult).
+        const signedThreshold = Date.now() - MAX_CHANGE_IDENTITY_TIMEOUT;
+        if (payload.time < signedThreshold) {
+            throw new Error(`Signed payload too old, ${payload.time} < ${signedThreshold} from ${caller.localNodeId} (${caller.nodeId})`);
+        }
+
+        if (payload.clientIsNode && payload.serverId !== getOwnNodeId()) {
+            // This is extremely common when we reuse ports, which we do frequently for the edge nodes. 
+            throw new Error(`You tried to contact another server. We are ${getOwnNodeId()}, you tried to contact ${payload.serverId}.`);
+        }
+
+        // Verify the signature is meant for us, otherwise any other site can hijack the login!
+        //  (We don't have to worry about other servers on the same domain, as all servers
+        //      on the same domain should be the same!)
+        let localNodeId = caller.localNodeId;
+        if (!areNodeIdsEqual(payload.serverId, localNodeId)) {
+            throw new Error(`Identity is for another server! The connection is calling us ${localNodeId}, but signature is for ${payload.serverId}`);
+        }
+        // If they're calling from the browser, then they're not going to be able to use our machine ID, etc. However, they should be calling an actual https node, so it should still be secure for them. 
+        if (payload.clientIsNode) {
+            let calledMachineId = getMachineId(payload.serverId);
+            if (calledMachineId !== "127-0-0-1" && calledMachineId !== getOwnMachineId()) {
+                throw new Error(`Tried to call a different machine. We are ${getOwnMachineId()}, they called ${calledMachineId}`);
+            }
+            let calledThreadId = decodeNodeId(payload.serverId)?.threadId;
+            if (calledThreadId && calledThreadId !== "127-0-0-1" && calledThreadId !== getOwnThreadId()) {
+                throw new Error(`Tried to call a different thread. We are ${getOwnThreadId()}, they called ${calledThreadId}`);
+            }
+        }
+
+
+        // Verify the caller can sign as the cert
+        verify(payload.cert, signature, payload);
+
+        // Verify we even trust the issuer/cert pair
+        validateCertificate(payload.cert, payload.certIssuer);
+
+        let reconnectNodeId: string | undefined;
+        if (payload.mountedPort) {
+            // NOTE: We use the common name, and not getNodeIdIP... because anything connecting will need
+            //  to use HTTPS, so connecting over the IP won't work! (unless they turn off certificate validation,
+            //  which we shouldn't do...)
+            reconnectNodeId = getNodeId(getCommonName(payload.cert), payload.mountedPort);
+        }
+
+        let pubKey = getPublicIdentifier(payload.cert);
+        let machineId = getMachineId(getCommonName(payload.certIssuer));
+
+        callerInfo.set(caller, {
+            cert: { certPEM: payload.cert, issuerPEM: payload.certIssuer },
+            machineId,
+            reconnectNodeId,
+            pubKey,
+            pubKeyShort: getShortNumber(pubKey),
+        });
+
+        let duration = Date.now() - time;
+        console.log(`Authenticated identity for ${caller.nodeId} in ${formatTime(duration)}, at ${Date.now()}`, {
+            clientId: caller.nodeId,
+            reconnectNodeId,
+            duration,
+            mountedPort: payload.mountedPort,
+            debugEntryPoint: payload.debugEntryPoint,
+        });
+
+        SocketFunction.onNextDisconnect(caller.nodeId, () => {
+            // NOTE: I don't really see any purpose of deleting from caller info. I don't think we're going to run out of memory because of too many callers authenticating. 
+            // However, logging here is useful as it allows us to complete the life cycle so we know how long a client was connected for.
+            console.log(`Disconnected client`, {
+                clientId: caller.nodeId,
+            });
+        });
+    }
+}
+
+const IdentityController = SocketFunction.register(
+    "IdentityController-4a1b77d7-2825-433e-a27c-e2b8a2e74457",
+    new IdentityControllerBase(),
+    () => ({
+        changeIdentity: {
+            // If we use hooks here, it can cause an infinite loop (which SocketFunction just turns into
+            //  a deadlock). So... we just don't use any hooks for this call.
+            // Actually.. I think we were seeing a different issue. And client hooks are required,
+            //  so we can trust the remote cert correctly.
+            // noClientHooks: true,
+            // noDefaultHooks: true,
+        },
+    })
+);
+
+// IMPORTANT! We need to cache per connection, not per nodeId, so caching based on connectionId is required!
+const changeIdentityOnce = cacheWeak(async function changeIdentityOnce(connectionId: { nodeId: string }) {
+    let nodeId = connectionId.nodeId;
+    let threadKeyCert = getThreadKeyCert();
+    let issuer = getIdentityCA();
+    let payload: ChangeIdentityPayload = {
+        time: Date.now(),
+        serverId: nodeId,
+        cert: threadKeyCert.cert.toString(),
+        certIssuer: issuer.cert.toString(),
+        mountedPort: getNodeIdLocation(SocketFunction.mountedNodeId)?.port,
+        debugEntryPoint: isNode() ? process.argv[1] : "browser",
+        clientIsNode: isNode(),
+    };
+    let signature = sign(threadKeyCert, payload);
+    await timeoutToError(
+        MAX_CHANGE_IDENTITY_TIMEOUT,
+        IdentityController.nodes[nodeId].changeIdentity(signature, payload),
+        () => new Error(`Timeout calling changeIdentity for ${nodeId}`)
+    );
+});
+SocketFunction.addGlobalClientHook(async function identityHook(context) {
+    if (context.call.classGuid === IdentityController._classGuid) return;
+    // This is for US to tell them our identity. And if they established the connection the identity will come from their original connection url (that they used to connect to us), and they validated it either being a real certificate, or they added the cert from the trusted backblaze bucket. If it just from a real certificate it means we identified them, but they might not have network trust. But that's fine, as IdentityController is JUST for identification, and if it's a real certificate we know who they are! (Which doesn't mean we trust them).
+    if (isClientNodeId(context.call.nodeId)) {
+        return;
+    }
+    let time = Date.now();
+    await changeIdentityOnce(context.connectionId);
+    let duration = Date.now() - time;
+    if (duration > 200) {
+        console.log(red(`IdentityHook took ${formatTime(duration)} for ${context.connectionId.nodeId} ${context.call.classGuid}.${context.call.functionName}`));
+    }
 });